EVM protects a file's security extended attributes against integrityattacks. It maintains an HMAC-sha1 value across the extended attributes,storing the value as the extended attribute 'security.evm'. EVM has gonethrough a number of iterations, initially as an LSM module, subsequentlyas a LIM integrity provider, and now, when co-located with a security_hook, embedded directly in the security_ hook, similar to IMA.

This is the first part of a local file integrity verification system.While this part does authenticate the selected extended attributes, andcryptographically bind them to the inode, coming extensions will bindother directory and inode metadata for more complete protection. Theset of protected security extended attributes is configured at compile.

EVM depends on the Kernel Key Retention System to provide it with thekernel master key for the HMAC operation. The kernel master key issecurely loaded onto the root's keyring, typically by 'loadkernkey',which either uses the TPM sealed secret key, if available, or apassword requested from the console. To signal EVM, that the key hasbeen loaded onto the keyring, 'echo 1 > <securityfs>/evm'. This isnormally done in the initrd, which has already been measured as partof the trusted boot. (Refer to http://linux-ima.sourceforge.net/#EVM.)

EVM adds the following three calls to the existing security hooks,evm_inode_setxattr(), evm_inode_post_setxattr(), andevm_inode_removexattr.